Critical severity9.8NVD Advisory· Published Nov 23, 2017· Updated May 13, 2026

CVE-2017-16931

Description

parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.

Affected products

Xmlsoft/Libxml2
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Range: <=2.9.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3nvdPatchThird Party Advisory
xmlsoft.org/news.htmlnvdRelease NotesVendor Advisory
bugzilla.gnome.org/show_bug.cginvdPermissions Required
lists.debian.org/debian-lts-announce/2017/11/msg00041.htmlnvd
www.oracle.com//security-alerts/cpujul2021.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000